Plus Sign

Identifying Sources of Leaks with the Gmail “+” Feature

For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the “+” (plus) sign or “.” (dot) to create more email addresses linked to your primary one. Let’s take an example with John who’s the owner of john.doe@gmail.com. John can share the email address “john.doe+soccer@gmail.com” with his friends playing soccer or “john.doe+security@gmail.com”  to register on forums talking about information security. It’s the same with dots. Google just ignore them. So “john.doe@gmail.com” is the same as “john.d.oe@gmail.com”. Many people use the “+” format to optimize the flood of email they receive every day and automatically process it / store it in separate folders. That’s nice but it can also be very useful to discover where an email address is being used.

A few days ago, Troy Hunt, the owner of haveibeenpwned.com service (if you don’t know it yet, just have a look and register!), announced that new massive dumps were in the wild for a total of ~1B passwords! The new dumps are called “Exploit.In” (593M entries) and “Anti Public Combo List” (427M entries). The sources of the leaks are not clear. I grabbed a copy of the data and searched for Google “+” email addresses.

Not surprising, I found +28K unique accounts! I extracted strings after the “+” sign and indexed everything in Splunk:

Gmail Tags

As you can see, we recognise some known online services:

  • xtube (adult content)
  • friendster (social network)
  • filesavr (file exchange service in the cloud)
  • linkedin (social network)
  • bioware (gaming platform)

This does not mean that those platforms were breached (ok, LinkedIn was) but it can give some indicators…

Here is a dump of the top identified tags (with more than 3 characters to keep the list useful). You can download the complete CSV here.

Tag Count
xtube

37

spam

18

filedropper

17

daz3d

12

bioware

11

friendster

10

savage

10

linkedin

8

eharmony

7

filesavr

6

bryce

5

savage2

5

porn

4

precyl

4

bravenet

3

comicbookdb

3

freebie

3

freebiejeebies

3

freebies

3

hackforums

3

junk

3

kffl

3

social

3

youporn

3

97979797

2

brice

2

dazstudio

2

detnews

2

eharm

2

free

2

gamigo

2

hack

2

heroesofnewerth

2

itickets

2

lists

2

luther

2

paygr

2

policeauctions

2

test

2

texasmonthly

2

toddy

2

trzy

2

usercash

2

xtube2

2

5 comments

  1. I have to add that this ‘+’ Feature is nothing google came up with, other can do that too.

    As Herman already wrote: most websites do not comply with the RFC5322 for the format. I always write them a mail to get their server to comply.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.